* Ensure that we set the default DH parameters for the key

Replace else with an if as the if branch no longer ensures that custome DH parameters have been loaded. This fixes a regression that causes the default DH parameters for a key no longer set and thus effectively disabling DH ciphers when no explicit DH parameters are set. PR: 68863 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1916863 13f79535-47bb-0310-9956-ffa450edef68
2025-07-29 12:37:06 +00:00 · 2024-04-08 13:18:28 +00:00
parent 8ffa19a1f7
commit dee1eb37d7
2 changed files with 9 additions and 5 deletions
--- a/changes-entries/pr68863.txt
+++ b/changes-entries/pr68863.txt
@ -0,0 +1,3 @@
+  *) mod_ssl: Fix a regression that causes the default DH parameters for a key
+     no longer set and thus effectively disabling DH ciphers when no explicit
+     DH parameters are set. PR 68863 [Ruediger Pluem]
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@ -1416,6 +1416,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
    const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile;
    int i;
    EVP_PKEY *pkey;
+    int custom_dh_done = 0;
 #ifdef HAVE_ECC
    EC_GROUP *ecgroup = NULL;
    int curve_nid = 0;
@ -1591,14 +1592,14 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
     */
    certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
    if (certfile && !modssl_is_engine_id(certfile)) {
-        int done = 0, num_bits = 0;
+        int num_bits = 0;
 #if OPENSSL_VERSION_NUMBER < 0x30000000L
        DH *dh = modssl_dh_from_file(certfile);
        if (dh) {
            num_bits = DH_bits(dh);
            SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
            DH_free(dh);
-            done = 1;
+            custom_dh_done = 1;
        }
 #else
        pkey = modssl_dh_pkey_from_file(certfile);
@ -1608,18 +1609,18 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
                EVP_PKEY_free(pkey);
            }
            else {
-                done = 1;
+                custom_dh_done = 1;
            }
        }
 #endif
-        if (done) {
+        if (custom_dh_done) {
            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
                         "Custom DH parameters (%d bits) for %s loaded from %s",
                         num_bits, vhost_id, certfile);
        }
    }
 #if !MODSSL_USE_OPENSSL_PRE_1_1_API
-    else {
+    if (!custom_dh_done) {
        /* If no parameter is manually configured, enable auto
         * selection. */
        SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1);